Oracle Cloud Infrastructure Documentation

Connecting to Sessions

This topic describes how to connect to bastion sessions.

For information specifically about how to create and manage bastion sessions, see Managing Sessions. For information about creating and managing bastions, see Managing Bastions.

Bastions are Oracle-managed services. You use a bastion to create Secure Shell (SSH) sessions that provide access to other private resources. But you can't connect directly to a bastion with SSH and administer or monitor it like a traditional host.

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don’t have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  to work in.

To use all Bastion features, you must have the following permissions:

  • Manage bastions, sessions, and networks
  • Read Compute instances
  • Read Compute instance agent plugins
  • Inspect work requests
Example policy:
Allow group SecurityAdmins to manage bastion-family in tenancy
Allow group SecurityAdmins to manage virtual-network-family in tenancy
Allow group SecurityAdmins to read instance-family in tenancy
Allow group SecurityAdmins to read instance-agent-plugins in tenancy
Allow group SecurityAdmins to inspect work-requests in tenancy
See Bastion IAM Policies for detailed policy information and more examples.

If you're new to policies, see Getting Started with Policies and Common Policies.

Allowing Network Access From the Bastion

The VCN (virtual cloud network)  that the target resource was created in must allow incoming network traffic from the bastion on the target port.

For example, if you want to use a session to connect to port 8001 on a Compute instance  from a bastion with the IP address 192.168.0.99, then the subnet used to access the instance needs to allow ingress traffic from 192.168.0.99 on port 8001.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion.
  4. Copy the Private Endpoint IP Address.
  5. Click the Target Subnet.

    If the target resource is on a different subnet than the one used by the bastion to access this VCN, edit the target resource's subnet.

  6. From the Subnet Details page, click an existing security list that is assigned to this subnet.

    Alternatively, you can create a security list and assign it to this subnet.

  7. Click Add Ingress Rule.
  8. For Source CIDR, enter a CIDR block that includes the Private Endpoint IP Address of the bastion.

    For example, the CIDR block <bastion_private_IP>/32 includes only the bastion's IP address.

  9. For IP Protocol, select TCP.
  10. For Destination Port Range, enter the port number on the target resource.

    For Managed SSH sessions, specify port 22.

  11. Click Add Ingress Rules.

To learn more, see Security Lists.

Using the Console

To connect to a Compute instance using a Managed SSH session

Before you begin, you must create a Managed SSH session to the target instance .

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to a Managed SSH session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH Command.
  5. To copy the command, next to SSH Command, click Copy, and then click Close.
  6. Using a text editor, replace <private key> with the path to the private key of the SSH key pair that you provided when you created the session.
  7. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it.

To connect to the SSH server on a Compute instance using a Port Forwarding session

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the SSH server on the instance , which by default is port 22.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

You can use a port forwarding session to connect to instances that don't meet all requirements for a Managed SSH session.

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH Command.
  5. To copy the command, next to SSH Command, click Copy, and then click Close.
  6. Using a text editor, replace <private key> with the path to the private key and <local port> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default SSH server port is 22.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Use an SSH client to connect to localhost (or 127.0.0.1) and the local port you specified, <local port>.

    Provide the name of a valid user on the instance's operating system.

    ssh -i <private key> -p <local port> <user>@localhost

    The default username on most platform images is opc. Example:

    ssh -i <private key> -p 8001 opc@localhost

    If your private key was created with a passphrase, you are prompted to enter it.

To connect to Windows using a Port Forwarding session and the Remote Desktop Protocol (RDP)

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the RDP port on the Windows instance , which by default is port 3389.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to a Windows instance using an RDP client and a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH Command.
  5. To copy the command, next to SSH Command, click Copy, and then click Close.
  6. Using a text editor, replace <private key> with the path to the private key and <local port> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default RDP server port is 3389.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Open an RDP client and connect to localhost (or 127.0.0.1) and the local port you specified, <local port>.

    Provide the name of an existing user on the Windows instance.

To connect to an Autonomous Transaction Processing Database using a Port Forwarding session

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the database port, which by default is port 1521.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to an Oracle Database using a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH Command.
  5. To copy the command, next to SSH Command, click Copy, and then click Close.
  6. Using a text editor, replace <private key> with the path to the private key and <local port> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default Oracle Database port is 1521.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Open a database client such as Oracle SQL*Plus or Oracle SQL Developer, and then connect to localhost (or 127.0.0.1) and the local port you specified, <local port>.

    Provide the name and password of an existing user on the database.

To connect to a MySQL DB System using a Port Forwarding session

Before you begin, you must create a Port Forwarding session (also known as an SSH tunnel) to the database port, which by default is port 3306.

  • You must have the private key file of the SSH key pair that you used to create the session.
  • The IP address of your machine must be in the CIDR block allowlist of the bastion that hosts the session.
  • The IP address of the bastion must be permitted to access the target resource. See Allowing Network Access From the Bastion.

To connect to a MySQL DB System using a Port Forwarding session:

  1. Open the navigation menu and click Identity & Security. Click Bastion.
  2. Under List Scope, in the Compartment list, click the name of the compartment where the bastion was created.
  3. Click the name of the bastion, and then, under Sessions, locate the session that you want to use to connect to the intended target resource.
  4. In the Actions menu for the session, click View SSH Command.
  5. To copy the command, next to SSH Command, click Copy, and then click Close.
  6. Using a text editor, replace <private key> with the path to the private key and <local port> with the local port on the machine from which you want to connect to the bastion.

    You can use any available local port. The default MySQL Database port is 3306.

  7. (Optional) Add the verbose (-v) option to the SSH command for detailed information about the connection.

    Don't use the -vv or -vvv options.

  8. Use a command line to issue the customized SSH command and connect to the bastion session.

    If your private key was created with a passphrase, you are prompted to enter it twice for a Port Forwarding session.

    After creating a connection to a Port Forwarding session, the process will not exit. Do not close the terminal.

    If you enabled verbose output (-v), the final message after a successful connection is:

    debug1: pledge: network
  9. Open a database client such as MySQL Workbench and connect to localhost (or 127.0.0.1) and the local port you specified, <local port>.

    Provide the name and password of an existing user on the database.